APIs have become an effective communication method for many fintech’s, banks, and credit unions. Therefore, when conducting an API risk assessment, it is essential to include evaluating new business partners and third-party agents.

Is your institution deploying "Open Banking"? Do you have an API management platform to manage risks?

An API management platform is a secure platform that provides for individual or tiered controls. Platform controls must always protect the institution, including before a partner sign-on and during ongoing operations. For example, suppose a partner or app intentionally or accidentally goes astray. In that case, the partner or app can be selectively disconnected from the API platform while the rest of the APIs and partners serving customers continue to be connected and secured.

The API Risk Assessment Questionnaire below addresses the risk issues that management must consider when offering open banking services made possible through Application Programming Interfaces.

API Risk Assessment Questionnaire

Answer YES or NO to these Risk Assessment Questions

Does the institution have a centrally managed API program?

Does the API management program limit brand risk through controls over external interactions?

Are new initiatives launched with proper controls over APIs and applications?

Does the API management program enforce proper data usage?

Do the institution’s information systems support ERM?

Does the institution maintain adequate controls over sensitive data according to regulatory requirements?

Does the institution have an effective cybersecurity program in place?

Does the institution routinely investigate new business partners and third-party vendors to ensure that they maintain proper security controls over data and APIs?

Does the institution provide routine training to ensure that employees are informed about the changing nature of API functionality and management’s strategy for using APIs to serve customers better?

Does the institution have a routine API monitoring program to identify and correct operational and security issues?

Adopting a Centrally Managed API Platform

What is an API management platform?

An API platform monitors customer requests to protect an online service or application from processing more queries than can be handled.

The security provided by a centrally managed API platform should support innovation while providing security rule enforcement. For instance, a well-managed API platform should enable business lines, customers, and partners to launch new initiatives but provide controls to avoid one-off applications that evade corporate objectives or security standards. Additionally, API programs and processes should create a framework for using data correctly.

The API management platform should enforce proper data usage by establishing governing procedures for data based on government and industry standards for information exchange and rapid development practices. Also, ensure that data propagated from core systems is consistent and controlled through API management policies.

Organizations must establish robust protocols for screening business partners and third parties, including contracts with provisions that include the right to monitor partner conduct.

What are some uses for API management platforms?

Examples of how institutions are using API management platforms include:

• To enforce service level agreements

• To conduct traffic control of customer requests

• To securely encrypt data

• To serve as an intermediary between core systems, business lines, and customers

• To quickly detect inaccurate records

• To control access to data and information

• To protect the institution’s brand information

• To ensure compliance with third-party licensing agreements

• To automate compliance with international privacy laws and regulations

Enforcement trends and government regulations can change quickly. An institution’s API governance, risk, and compliance team should establish training policies based on changing API functionality and strategy. Overall, an API platform should enable rapid responses to business regulations and conditions.

API management platforms should also provide a complete audit trail of all data consumed and contributed to enterprise systems. An API management platform can be an asset for governance and compliance because it creates a central repository for risk officers to monitor data flows and enforce governance policies. Without an API management platform, organizations run the risk of supporting multiple electronic entry points and single-purpose integrations with partners, which may be unsupervised.

Want to learn more about API risks? Click here for our course on Vendor Management: Conducting an API Risk Assessment where we discuss these important topics:

• What is an API?

• Why banks are participating in the API economy

• Types of API applications in the banking space

• Understanding API threats and vulnerabilities

• Identifying risk exposures and business impact

• Understanding API risk mitigation best practices

• Methods for conducting an API Risk Assessment